General
-
Target
shellbug.exe
-
Size
45KB
-
Sample
240726-vmx74avdmg
-
MD5
e73ddfdec9b3773f3c711c5ef52da87e
-
SHA1
269b2852f23b991b81faeb15ca2e14dc2fa4156f
-
SHA256
bff19bf2fe8160235c238b3c6d7a4be3e69289b048f1adec196c8a762fbff1d3
-
SHA512
3f737e9ecfac3ac553c9737c101ab2192a09310fe47d8849857f27e3e2baa4594d2fc3cc3f6088cfad9afd671584dabf1d8d26057208942b48cd059ae6c93046
-
SSDEEP
768:QPLSrMoisb1QUhjKNcNc9ElGRDXDgVdD7abFEPt9ObWQ6BOuhpzj5D:QOyABKaaSlmmdDwFY9Uv6BOuDh
Malware Config
Extracted
xworm
5.0
picture-competent.gl.at.ply.gg:24783:2543
QbaLOLRr0WYsOjrU
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Targets
-
-
Target
shellbug.exe
-
Size
45KB
-
MD5
e73ddfdec9b3773f3c711c5ef52da87e
-
SHA1
269b2852f23b991b81faeb15ca2e14dc2fa4156f
-
SHA256
bff19bf2fe8160235c238b3c6d7a4be3e69289b048f1adec196c8a762fbff1d3
-
SHA512
3f737e9ecfac3ac553c9737c101ab2192a09310fe47d8849857f27e3e2baa4594d2fc3cc3f6088cfad9afd671584dabf1d8d26057208942b48cd059ae6c93046
-
SSDEEP
768:QPLSrMoisb1QUhjKNcNc9ElGRDXDgVdD7abFEPt9ObWQ6BOuhpzj5D:QOyABKaaSlmmdDwFY9Uv6BOuDh
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-